On 28/08/2012 9:18 a.m., Eliezer Croitoru wrote:
> On 8/27/2012 11:23 PM, Rafael Gomes wrote:
>> acl rafael external check_user rafael.gomes
>> http_access deny rafael
> you must understand that the check is yes\no match.
> it will request usename for:
> http_access deny rafael
>
> so if you have wrong username squid will move on to the next acl since
> the username is not a match to "rafael" acl.

Worse than this. You need the username details to supply %LOGIN. Which
in turn is used to determine what the username details are...

So Squid must already be aware of the username, finished performing
authentication in order to start calling ths ACL test.

There are two choices:
1) If you are already authenticating everyone. Create an "acl rafael
proxy_auth rafael" test. That ACL will check the credentials and match
only for that one user. So when you use it make sure its not on the end
of the line (eg test it with "http_access deny rafael all" to prevent
popups)

2) use a "fake" authentication helper (bundled now with squid 3.2) to
accept any garbage they send. It will still request credentials from the
browser though. User "Rafael" could simply send username "annie" and get
past this type of security block.